openstack/puppet-nova
Code Issues Proposed changes

key_manager: Add service user options for Barbican key manager

Browse Source 
This change introduces some parameters to set up the service user token
feature for Barbican key manager, which was implemented during the Xena
cycle[1].

[1] 162039467ad0dfc5e25a16b75d9072d607690702

Depends-on: https://review.opendev.org/810451
Change-Id: I217e20e3d10fecffd3fb8654f047a7e285331723
This commit is contained in:
Takashi Kajinami
2022-01-06 13:37:57 +09:00
parent cf3f239de0
commit 3453611d08
5 changed files with 225 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
manifests/key_manager/barbican.pp
View File

@@ -33,14 +33,19 @@
# (Optional) Specifies the region of the chosen endpoint.
# Defaults to $::os_service_default
#
# [*send_service_user_token*]
# (Optional) The service uses service token feature when this is set as true.
# Defaults to $::os_service_default
#
class nova::key_manager::barbican (
$barbican_endpoint = $::os_service_default,
$barbican_api_version = $::os_service_default,
$auth_endpoint = $::os_service_default,
$retry_delay = $::os_service_default,
$number_of_retries = $::os_service_default,
$barbican_endpoint_type = $::os_service_default,
$barbican_region_name = $::os_service_default,
$barbican_endpoint = $::os_service_default,
$barbican_api_version = $::os_service_default,
$auth_endpoint = $::os_service_default,
$retry_delay = $::os_service_default,
$number_of_retries = $::os_service_default,
$barbican_endpoint_type = $::os_service_default,
$barbican_region_name = $::os_service_default,
$send_service_user_token = $::os_service_default,
) {
include nova::deps
@@ -56,12 +61,13 @@ class nova::key_manager::barbican (
})
oslo::key_manager::barbican { 'nova_config':
barbican_endpoint => $barbican_endpoint_real,
barbican_api_version => $barbican_api_version_real,
auth_endpoint => $auth_endpoint_real,
retry_delay => $retry_delay,
number_of_retries => $number_of_retries,
barbican_endpoint_type => $barbican_endpoint_type,
barbican_region_name => $barbican_region_name,
barbican_endpoint => $barbican_endpoint_real,
barbican_api_version => $barbican_api_version_real,
auth_endpoint => $auth_endpoint_real,
retry_delay => $retry_delay,
number_of_retries => $number_of_retries,
barbican_endpoint_type => $barbican_endpoint_type,
barbican_region_name => $barbican_region_name,
send_service_user_token => $send_service_user_token,
}
}

94
manifests/key_manager/barbican/service_user.pp Normal file
View File

@@ -0,0 +1,94 @@
# == Class: nova::key_manager::barbican::service_user
#
# Setup and configure the service token feature for Barbican Key Manager
#
# === Parameters
#
# [*password*]
# (Required) Password to create for the service user
#
# [*username*]
# (Optional) The name of the service user
# Defaults to 'nova'
#
# [*auth_url*]
# (Optional) The URL to use for authentication.
# Defaults to 'http://localhost:5000'
#
# [*project_name*]
# (Optional) Service project name
# Defaults to 'services'
#
# [*user_domain_name*]
# (Optional) Name of domain for $username
# Defaults to 'Default'
#
# [*project_domain_name*]
# (Optional) Name of domain for $project_name
# Defaults to 'Default'
#
# [*insecure*]
# (Optional) If true, explicitly allow TLS without checking server cert
# against any certificate authorities. WARNING: not recommended. Use with
# caution.
# Defaults to $::os_service_default
#
# [*auth_type*]
# (Optional) Authentication type to load
# Defaults to 'password'
#
# [*auth_version*]
# (Optional) API version of the admin Identity API endpoint.
# Defaults to $::os_service_default.
#
# [*cafile*]
# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
# connections.
# Defaults to $::os_service_default.
#
# [*certfile*]
# (Optional) Required if identity server requires client certificate
# Defaults to $::os_service_default.
#
# [*keyfile*]
# (Optional) Required if identity server requires client certificate
# Defaults to $::os_service_default.
#
# [*region_name*]
# (Optional) The region in which the identity server can be found.
# Defaults to $::os_service_default.
#
class nova::key_manager::barbican::service_user(
$password,
$username = 'nova',
$auth_url = 'http://localhost:5000',
$project_name = 'services',
$user_domain_name = 'Default',
$project_domain_name = 'Default',
$insecure = $::os_service_default,
$auth_type = 'password',
$auth_version = $::os_service_default,
$cafile = $::os_service_default,
$certfile = $::os_service_default,
$keyfile = $::os_service_default,
$region_name = $::os_service_default,
) {
include nova::deps
oslo::key_manager::barbican::service_user { 'nova_config':
username => $username,
password => $password,
auth_url => $auth_url,
project_name => $project_name,
user_domain_name => $user_domain_name,
project_domain_name => $project_domain_name,
insecure => $insecure,
auth_type => $auth_type,
auth_version => $auth_version,
cafile => $cafile,
certfile => $certfile,
keyfile => $keyfile,
region_name => $region_name,
}
}

8
releasenotes/notes/barbican_service_user-887eb51cb8e9efce.yaml Normal file
View File

@@ -0,0 +1,8 @@
---
features:
- |
The following parameter and class have been added, to support usage of
the service token feature with the Barbican key manager.
- The ``nova::key_manager::barbican::send_service_user_token`` parameter
- The ``nova::key_manager::barbican::service_user`` class

79
spec/classes/nova_key_manager_barbican_service_user_spec.rb Normal file
View File

@@ -0,0 +1,79 @@
require 'spec_helper'
describe 'nova::key_manager::barbican::service_user' do
shared_examples 'nova::key_manager::barbican::service_user' do
let :params do
{ :password => 'secret' }
end
context 'with default parameters' do
it {
is_expected.to contain_oslo__key_manager__barbican__service_user('nova_config').with(
:username => 'nova',
:password => 'secret',
:auth_url => 'http://localhost:5000',
:project_name => 'services',
:user_domain_name => 'Default',
:project_domain_name => 'Default',
:insecure => '<SERVICE DEFAULT>',
:auth_type => 'password',
:auth_version => '<SERVICE DEFAULT>',
:cafile => '<SERVICE DEFAULT>',
:certfile => '<SERVICE DEFAULT>',
:keyfile => '<SERVICE DEFAULT>',
:region_name => '<SERVICE DEFAULT>',
)
}
end
context 'with specified parameters' do
before :each do
params.merge!({
:username => 'alt_nova',
:auth_url => 'http://127.0.0.1:5000',
:project_name => 'alt_services',
:user_domain_name => 'Domain1',
:project_domain_name => 'Domain2',
:insecure => false,
:auth_type => 'v3password',
:auth_version => 'v3',
:cafile => '/opt/stack/data/cafile.pem',
:certfile => 'certfile.crt',
:keyfile => 'keyfile',
:region_name => 'regionOne',
})
end
it {
is_expected.to contain_oslo__key_manager__barbican__service_user('nova_config').with(
:username => 'alt_nova',
:password => 'secret',
:auth_url => 'http://127.0.0.1:5000',
:project_name => 'alt_services',
:user_domain_name => 'Domain1',
:project_domain_name => 'Domain2',
:insecure => false,
:auth_type => 'v3password',
:auth_version => 'v3',
:cafile => '/opt/stack/data/cafile.pem',
:certfile => 'certfile.crt',
:keyfile => 'keyfile',
:region_name => 'regionOne',
)
}
end
end
on_supported_os({
:supported_os => OSDefaults.get_supported_os
}).each do |os,facts|
context "on #{os}" do
let (:facts) do
facts.merge(OSDefaults.get_facts())
end
it_behaves_like 'nova::key_manager::barbican::service_user'
end
end
end

45
spec/classes/nova_key_manager_barbican_spec.rb
View File

@@ -5,13 +5,14 @@ describe 'nova::key_manager::barbican' do
context 'with default parameters' do
it {
is_expected.to contain_oslo__key_manager__barbican('nova_config').with(
:barbican_endpoint => '<SERVICE DEFAULT>',
:barbican_api_version => '<SERVICE DEFAULT>',
:auth_endpoint => '<SERVICE DEFAULT>',
:retry_delay => '<SERVICE DEFAULT>',
:number_of_retries => '<SERVICE DEFAULT>',
:barbican_endpoint_type => '<SERVICE DEFAULT>',
:barbican_region_name => '<SERVICE DEFAULT>',
:barbican_endpoint => '<SERVICE DEFAULT>',
:barbican_api_version => '<SERVICE DEFAULT>',
:auth_endpoint => '<SERVICE DEFAULT>',
:retry_delay => '<SERVICE DEFAULT>',
:number_of_retries => '<SERVICE DEFAULT>',
:barbican_endpoint_type => '<SERVICE DEFAULT>',
:barbican_region_name => '<SERVICE DEFAULT>',
:send_service_user_token => '<SERVICE DEFAULT>',
)
is_expected.to contain_package('cryptsetup').with(
@@ -24,25 +25,27 @@ describe 'nova::key_manager::barbican' do
context 'with specified parameters' do
let :params do
{
:barbican_endpoint => 'http://localhost:9311/',
:barbican_api_version => 'v1',
:auth_endpoint => 'http://localhost:5000',
:retry_delay => 1,
:number_of_retries => 60,
:barbican_endpoint_type => 'public',
:barbican_region_name => 'regionOne',
:barbican_endpoint => 'http://localhost:9311/',
:barbican_api_version => 'v1',
:auth_endpoint => 'http://localhost:5000',
:retry_delay => 1,
:number_of_retries => 60,
:barbican_endpoint_type => 'public',
:barbican_region_name => 'regionOne',
:send_service_user_token => true,
}
end
it {
is_expected.to contain_oslo__key_manager__barbican('nova_config').with(
:barbican_endpoint => 'http://localhost:9311/',
:barbican_api_version => 'v1',
:auth_endpoint => 'http://localhost:5000',
:retry_delay => 1,
:number_of_retries => 60,
:barbican_endpoint_type => 'public',
:barbican_region_name => 'regionOne',
:barbican_endpoint => 'http://localhost:9311/',
:barbican_api_version => 'v1',
:auth_endpoint => 'http://localhost:5000',
:retry_delay => 1,
:number_of_retries => 60,
:barbican_endpoint_type => 'public',
:barbican_region_name => 'regionOne',
:send_service_user_token => true,
)
is_expected.to contain_package('cryptsetup').with(